diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b6b5c4e25..e02a6e6e2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,10 +5,17 @@ on: branches: [trunk] workflow_dispatch: +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: build: name: Build runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: write # Required to push the build branch steps: - name: Checkout repository uses: actions/checkout@v4 diff --git a/.github/workflows/comment-with-checklist.yml b/.github/workflows/comment-with-checklist.yml index 21c11099d..706a7afbb 100644 --- a/.github/workflows/comment-with-checklist.yml +++ b/.github/workflows/comment-with-checklist.yml @@ -8,11 +8,16 @@ on: content-type: type: string +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: add-comment: runs-on: ubuntu-latest + timeout-minutes: 10 permissions: - issues: write + issues: write # Required to comment on issues and add labels steps: - uses: peter-evans/create-or-update-comment@v3 if: contains(inputs.content-type, 'tutorial') diff --git a/.github/workflows/content-checklist-from-comment.yml b/.github/workflows/content-checklist-from-comment.yml index e6008989b..a03391e3b 100644 --- a/.github/workflows/content-checklist-from-comment.yml +++ b/.github/workflows/content-checklist-from-comment.yml @@ -6,33 +6,47 @@ on: types: created # types: [created, edited] <= Use this if we want the workflow to run when a comment is edited, too +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: tutorial-issue: if: ${{ contains(github.event.comment.body, '//tutorial') }} + permissions: + issues: write # Required to comment on issues and add labels uses: ./.github/workflows/comment-with-checklist.yml with: content-type: 'tutorial' online-workshop-issue: if: ${{ contains(github.event.comment.body, '//online-workshop') }} + permissions: + issues: write # Required to comment on issues and add labels uses: ./.github/workflows/comment-with-checklist.yml with: content-type: 'online-workshop' lesson-plan-issue: if: ${{ contains(github.event.comment.body, '//lesson-plan') }} + permissions: + issues: write # Required to comment on issues and add labels uses: ./.github/workflows/comment-with-checklist.yml with: content-type: 'lesson-plan' course-issue: if: ${{ contains(github.event.comment.body, '//course') }} + permissions: + issues: write # Required to comment on issues and add labels uses: ./.github/workflows/comment-with-checklist.yml with: content-type: 'course' lesson-issue: if: ${{ contains(github.event.comment.body, '//lesson') }} + permissions: + issues: write # Required to comment on issues and add labels uses: ./.github/workflows/comment-with-checklist.yml with: content-type: 'lesson' diff --git a/.github/workflows/content-checklist-from-issue.yml b/.github/workflows/content-checklist-from-issue.yml index 64844b48f..8476092d5 100644 --- a/.github/workflows/content-checklist-from-issue.yml +++ b/.github/workflows/content-checklist-from-issue.yml @@ -6,33 +6,47 @@ on: types: opened # types: [opened, edited] <= Use this if we want the workflow to run when an issue is edited, too +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: tutorial-issue: if: ${{ contains(github.event.issue.body, '//tutorial') }} + permissions: + issues: write # Required to comment on issues and add labels uses: ./.github/workflows/comment-with-checklist.yml with: content-type: 'tutorial' online-workshop-issue: if: ${{ contains(github.event.issue.body, '//online-workshop') }} + permissions: + issues: write # Required to comment on issues and add labels uses: ./.github/workflows/comment-with-checklist.yml with: content-type: 'online-workshop' lesson-plan-issue: if: ${{ contains(github.event.issue.body, '//teach') }} + permissions: + issues: write # Required to comment on issues and add labels uses: ./.github/workflows/comment-with-checklist.yml with: content-type: 'teach' course-issue: if: ${{ contains(github.event.issue.body, '//course') }} + permissions: + issues: write # Required to comment on issues and add labels uses: ./.github/workflows/comment-with-checklist.yml with: content-type: 'course' lesson-issue: if: ${{ contains(github.event.issue.body, '//lesson') }} + permissions: + issues: write # Required to comment on issues and add labels uses: ./.github/workflows/comment-with-checklist.yml with: content-type: 'lesson' diff --git a/.github/workflows/i18n.yml b/.github/workflows/i18n.yml index 880ce7992..9db096e26 100644 --- a/.github/workflows/i18n.yml +++ b/.github/workflows/i18n.yml @@ -5,11 +5,18 @@ on: - cron: '0 6,18 * * *' workflow_dispatch: +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: translation-strings: name: Translation strings runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: write # Required to commit and push updated translation strings steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/incomplete-workflows/add-to-project-when-labeled.yml b/.github/workflows/incomplete-workflows/add-to-project-when-labeled.yml index 562002313..124bd2e8b 100644 --- a/.github/workflows/incomplete-workflows/add-to-project-when-labeled.yml +++ b/.github/workflows/incomplete-workflows/add-to-project-when-labeled.yml @@ -9,10 +9,18 @@ on: types: - labeled +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: add-to-web-development-project: name: Add issues labeled "[Type] Bug" to web development project runs-on: ubuntu-latest + timeout-minutes: 10 + permissions: + issues: read # Required to read issue data + projects: write # Required to add issues to the GitHub project steps: - uses: actions/add-to-project@v0.5.0 if: contains(github.event.issue.labels.*.name, 'Awaiting Triage') @@ -24,6 +32,10 @@ jobs: add-to-content-feedback-project: name: Add issues labeled "Content Feedback" to LearnWP Content - Feedback project runs-on: ubuntu-latest + timeout-minutes: 10 + permissions: + issues: read # Required to read issue data + projects: write # Required to add issues to the GitHub project steps: - uses: actions/add-to-project@v0.5.0 if: contains(github.event.issue.labels.*.name, 'Awaiting Triage') @@ -35,6 +47,10 @@ jobs: add-to-admin-project: name: Add handbook issues to Training Team Administration project runs-on: ubuntu-latest + timeout-minutes: 10 + permissions: + issues: read # Required to read issue data + projects: write # Required to add issues to the GitHub project steps: - uses: actions/add-to-project@v0.5.0 if: contains(github.event.issue.labels.*.name, 'Awaiting Triage') || contains(github.event.issue.labels.*.name, '[Admin] Meeting Agenda') diff --git a/.github/workflows/incomplete-workflows/automate-review-documentation.yml b/.github/workflows/incomplete-workflows/automate-review-documentation.yml index a69290a61..2626b0962 100644 --- a/.github/workflows/incomplete-workflows/automate-review-documentation.yml +++ b/.github/workflows/incomplete-workflows/automate-review-documentation.yml @@ -14,12 +14,18 @@ on: issues: types: - labeled + +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: add-comment: if: github.event.label.name == 'Ready for Review' runs-on: ubuntu-latest + timeout-minutes: 10 permissions: - issues: write + issues: write # Required to post comments on issues steps: - name: Add comment uses: peter-evans/create-or-update-comment@5f728c3dae25f329afbe34ee4d08eef25569d79f diff --git a/.github/workflows/label-feedback-from-comment.yml b/.github/workflows/label-feedback-from-comment.yml index 2f65acc37..aefb706b8 100644 --- a/.github/workflows/label-feedback-from-comment.yml +++ b/.github/workflows/label-feedback-from-comment.yml @@ -5,13 +5,18 @@ on: issue_comment: types: [created, edited] +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: label_issues: if: ${{ !github.event.issue.pull_request }} runs-on: ubuntu-latest + timeout-minutes: 10 permissions: - issues: write + issues: write # Required to add labels to issues steps: - uses: actions/github-script@v7.0.1 with: diff --git a/.github/workflows/label-feedback-from-issue.yml b/.github/workflows/label-feedback-from-issue.yml index 1800e704d..3ca5d226c 100644 --- a/.github/workflows/label-feedback-from-issue.yml +++ b/.github/workflows/label-feedback-from-issue.yml @@ -5,13 +5,18 @@ on: issues: types: [opened, edited] +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: label_issues: if: ${{ !github.event.issue.pull_request }} runs-on: ubuntu-latest + timeout-minutes: 10 permissions: - issues: write + issues: write # Required to add labels to issues steps: - uses: actions/github-script@v7.0.1 with: diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml index f53bd1a39..224cebf86 100644 --- a/.github/workflows/linters.yml +++ b/.github/workflows/linters.yml @@ -7,10 +7,17 @@ on: pull_request: workflow_dispatch: +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: check: name: Lint runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read # Required to clone the repo steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/published-content.yml b/.github/workflows/published-content.yml index d64d99dd6..7dc0a3af7 100644 --- a/.github/workflows/published-content.yml +++ b/.github/workflows/published-content.yml @@ -7,10 +7,17 @@ on: issue_comment: types: [created, edited] +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: - publish-commment: + publish-comment: runs-on: ubuntu-latest + timeout-minutes: 10 if: contains(github.event.comment.body, '//publish') + permissions: + issues: write # Required to add/remove labels and close issues steps: - name: Remove co-host label if: contains(github.event.issue.labels.*.name, '[Content] Needs Co-host') diff --git a/.github/workflows/review-instructions.yml b/.github/workflows/review-instructions.yml index c00ecdf6c..a34a78ddd 100644 --- a/.github/workflows/review-instructions.yml +++ b/.github/workflows/review-instructions.yml @@ -3,14 +3,19 @@ on: issue_comment: types: [created, edited] +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: add-comment: runs-on: ubuntu-latest + timeout-minutes: 10 permissions: - issues: write + issues: write # Required to post comments on issues steps: - uses: peter-evans/create-or-update-comment@v3 - if: ${{ contains(github.event.comment.body, '//review') }} + if: ${{ contains(github.event.comment.body, '//review') }} with: issue-number: ${{ github.event.issue.number }} body: | diff --git a/.github/workflows/self-assign-issue.yml b/.github/workflows/self-assign-issue.yml index a24c8c111..12857e5d1 100644 --- a/.github/workflows/self-assign-issue.yml +++ b/.github/workflows/self-assign-issue.yml @@ -5,10 +5,17 @@ on: issue_comment: types: [created, edited] +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: assign-issue: if: contains(github.event.comment.body, '//assign') runs-on: ubuntu-latest + timeout-minutes: 10 + permissions: + issues: write # Required to assign issues, add labels, and post comments steps: - name: Assign the comment author uses: takanome-dev/assign-issue-action@v2.0.0